The Cybersecurity 202: These researchers worry more about cybercriminals hacking the grid than nation-state hackers

The sun rises beyond power lines in St. Charles Parish, La., on Jan. 31. (Gerald Herbert/AP)

The Department of Homeland Security wants utility companies to beware of nation-state hackers who seek to infiltrate the U.S. electrical grid. But a prominent cybersecurity firm says there’s another type of adversary that officials and utility operators need to watch out for.

Researchers at Cybereason say cybercriminal groups may pose a more immediate threat than nation state groups to electricity providers and other critical infrastructure such as wastewater facilities or manufacturing plants. Government-backed intruders tend to focus on quietly gathering information about the systems they penetrate, while cybercrime groups often use more amateurish techniques to compromise a network. That means they're more likely to damage equipment or cause disruptions, even if they don’t intend to.

“They’re not looking to throw the switch, but they might throw the switch by accident,” Ross Rustici, Cybereason’s senior director of intelligence, told me.

The Boston-based firm wrapped up an experiment last week in which researchers set up a fake utility network and watched as hackers bearing the hallmarks of cybercriminals penetrated it in a matter of days. While the hackers showed some advanced skills, they used a few sloppy methods that raised “red flags” about their potential to inadvertently cause failures in the system, researchers concluded.

DHS, tasked with protecting U.S. critical infrastructure, has publicly devoted its attention largely to the threat from nation states. These findings paint a more complete picture for policymakers and utilities facing a rise in malicious cyber activity -- and spotlight a potential threat that hasn't been as much of a focus in public remarks by top officials.

In Washington, the focus has largely been on Russia. Officials say Russian government hackers have penetrated the business systems of U.S. nuclear power and other energy companies. And DHS said in a recent public briefing that Russian military hackers had infiltrated the control rooms of electric utilities across the country over the past year, and that the activity was part of an ongoing campaign. The adversaries appeared interested in conducting espionage and possibly laying the groundwork for future cyberattacks, officials and experts noted.

But less sophisticated nonstate actors are targeting the same systems for different reasons — some, for example, may seek to take over a system and ransom it back to the owners. And while these hackers they're nowhere near as well-resourced as nation state actors, they pose an outsized risk to utility operators, according to Cybereason.

“They’re more prone to make mistakes, and they’re trying to get into the system as quickly as possible, which is different from the groups that DHS talks about that are very slow and methodical,” Rustici told me. “A lot of nation state groups will invest time and money to practice on mock-up networks to avoid detection... Cybercriminals don’t have the time, resources or care for this because they’re looking for a quick buck.”

Many of the control systems used by power plants and other critical infrastructure are old and fragile, so a slip-up could have big effects. Two recent real-world examples shed light on how this might play out in the U.S., Rustici said. In one incident, a sophisticated hacking group’s botched attempt to lay down malware in a Saudi Arabian oil and gas plant caused equipment to shut down until operators could manually flip switches and bring it back online. In another, hackers caused a smelter in a German steel mill to overload and destroy itself in what may have been collateral damage from a cyber-intrusion gone awry.

Those types of errors are “far more likely to be made by a cybercriminal than nation state actors,” Rustici said. In a worst-case scenario, he added, a similar mistake could cause a cascade of failures that causes outages in multiple facilities.

The good news is that cybercriminals are a lot more skittish than nation state actors, Rustici said. Basic cyber-hygiene and diligent threat monitoring can go a long way in scaring them off. The threat from cybercriminals “is larger than we generally focus on, but also in some ways it’s more manageable,” he said. “If you can deter cybercriminals from being successful you go a long way in making the lives of [more sophisticated] actors a lot harder. You may not prevent the intrusion entirely but you’ll make them work harder for it.”

You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.

President Trump at the White House in Washington on Aug 28. (Jabin Botsford/The Washington Post)

PINGED: “President Trump asserted early Wednesday, without citing evidence, that Hillary Clinton’s emails were hacked by China, and he said the Justice Department and FBI risked losing their credibility if they did not look into the matter,” The Washington Post’s John Wagner reported. “Writing on Twitter, Trump alleged that much of the former secretary of state’s email that was hacked contained classified information and called it ‘a very big story.’”

Hillary Clinton’s Emails, many of which are Classified Information, got hacked by China. Next move better be by the FBI & DOJ or, after all of their other missteps (Comey, McCabe, Strzok, Page, Ohr, FISA, Dirty Dossier etc.), their credibility will be forever gone!

Report just out: “China hacked Hillary Clinton’s private Email Server.” Are they sure it wasn’t Russia (just kidding!)? What are the odds that the FBI and DOJ are right on top of this? Actually, a very big story. Much classified information!

Trump’s tweets came after the Daily Caller, citing “two sources briefed on the matter,” reported that a Chinese-owned firm operating in the Washington area hacked Clinton’s private server while she served as secretary of state and obtained almost all of her emails. Hua Chunying, spokeswoman for the Chinese Foreign Ministry, said during a daily news briefing in Beijing that China has heard such accusations before. “This isn’t the first time we’ve heard similar kinds of allegations,” Hua said, as quoted by Reuters.

A Yahoo sign at the company's headquarters in Sunnyvale, Calif., on July 19, 2016. (Marcio Jose Sanchez/AP)

PATCHED: While tech companies face increasing scrutiny over data privacy, Yahoo continues to scan user emails.“Yahoo’s owner, the Oath unit of Verizon Communications Inc., has been pitching a service to advertisers that analyzes more than 200 million Yahoo Mail inboxes and the rich user data they contain, searching for clues about what products those users might buy, said people who have attended Oath’s presentations as well as current and former employees of the company, ” the Wall Street Journal's Douglas MacMillan, Sarah Krouse and Keach Hagey reported on Tuesday. “Oath said the practice extends to AOL Mail, which it also owns. Together, they constitute the only major U.S. email provider that scans user inboxes for marketing purposes.”

Doug Sharp, vice president of data, measurements and insights at Oath, told the Journal that only commercial emails are scanned, for instance when users receive messages from retailers, and it is possible to opt out. “Yahoo’s algorithms look for commercial emails and identify them using a database of commonly sent emails,” MacMillan, Krouse and Hagey wrote. “The algorithms link certain types of emails to certain consumer preferences, and then place a ‘cookie,’ a piece of tracking code, on that user’s computer to help advertisers show them messages in the future.” Moreover, employees may also look at users' emails in some cases. “In its privacy policy, Oath says all Yahoo Mail users may have portions of some emails reviewed by human employees,” the Journal reported. “Oath employees may manually review sections of mass-mailed commercial emails that appear to be ‘boilerplate,’ or the same for many users, the policy says.”

The logo for Facebook appears on screens at the Nasdaq MarketSite in New York. (AP Photo/Richard Drew)

PWNED: “An apparent Iranian influence operation targeting internet users worldwide is significantly bigger than previously identified, Reuters has found, encompassing a sprawling network of anonymous websites and social media accounts in 11 different languages,”Jack Stubbs and Christopher Bing of Reuters reported on Tuesday. “Facebook and other companies said last week that multiple social media accounts and websites were part of an Iranian project to covertly influence public opinion in other countries. A Reuters analysis has identified 10 more sites and dozens of social media accounts across Facebook, Instagram, Twitter and YouTube.”

The sites and social media accounts that Reuters found are part of a group called International Union of Virtual Media that carries content from Iranian state media and other pro-Iran sources. IUVM often conceals the fact that the content comes sources affiliated with Iranian authorities. “IUVM uses its network of websites - including a YouTube channel, breaking news service, mobile phone app store, and a hub for satirical cartoons mocking Israel and Iran’s regional rival Saudi Arabia - to distribute content taken from Iranian state media and other outlets which support Tehran’s position on geopolitical issues,” Stubbs and Bing wrote. “Reuters recorded the IUVM network operating in English, French, Arabic, Farsi, Urdu, Pashto, Russian, Hindi, Azerbaijani, Turkish and Spanish.”

Members of the U.S. Election Assistance Commission's Board of Advisors expressed concerns about revisions to the Senate's stalled Secure Elections Act during a meeting on Monday, while also discussing the need for more election security funding for states.

Critics of the FCC’s level of engagement on cybersecurity say more needs to be done to secure basic telecommunications network architecture, as the agency’s public safety bureau reviews comments on providers’ implementation of security recommendations it made last year.

Inside Cybersecurity

PRIVATE KEY

A laptop in North Andover, Mass., on June 19, 2017. (Elise Amendola/AP)

— “Fiserv, Inc., a major provider of technology services to financial institutions, just fixed a glaring weakness in its Web platform that exposed personal and financial details of countless customers across hundreds of bank Web sites, KrebsOnSecurity has learned,” computer security reporter Brian Krebs wrote on Tuesday. A bank customer could have exploited the vulnerability to ultimately monitor other users' daily transaction activity, according to Krebs, who used to work as a reporter for The Washington Post. Fiserv said it patched the weakness after being notified about it.

“Fiserv said in a statement that the problem stemmed from an issue with ‘a messaging solution available to a subset of online banking clients,’” Krebs reported. “Fiserv declined to say exactly how many financial institutions may have been impacted overall. But experts tell KrebsOnSecurity that some 1,700 banks currently use Fiserv’s retail (consumer-focused) banking platform alone.” Krebs wrote that security researcher Kristian Erik Hermansen first informed him about the vulnerability two weeks ago and described how it could be used to monitor transactions. “I shouldn’t be able to see this data,” Hermansen told Krebs. “Anytime you spend money that should be a private transaction between you and your bank, not available for everyone else to see.”

Commuters browse on their smartphones in a subway station in New York on July 1, 2016. (Jewel Samad/AFP/Getty Images)

— “Instagram is adding three new tools to prevent the spread of misinformation on the platform,” the Hill's Tal Axelrod reported. “ ‘We’ve been focused on the safety of our platform since the very beginning, and today’s updates build upon our existing tools, such as our spam and abusive content filters and the ability to report or block accounts,’ Instagram co-founder and chief technology officer Mike Krieger said in a press release on Tuesday.”

The storage deal might be free for users, but that does not mean communications records are protected in the same way.

ZDNet

SECURITY FAILS

An Apple store in Chicago on Oct. 19, 2017. (Kiichiro Sato/AP)

—Motherboard's Lorenzo Franceschi-Bicchierai reported another example of spyware companies that are hacked or leave data exposed online. “The hacker, who only goes by the initials L.M., told Motherboard in February that he gained access to the servers of TheTruthSpy, a company that sells an Android and iOS spy app to consumers,” Franceschi-Bicchierai wrote on Tuesday. “The hacker was able to steal logins and passwords, pictures, audio recordings intercepted from victim’s phones, text messages, location information, and social media chats, among other data.” TheTruthSpy has presented its services as a way for consumers to spy on spouses. The hacker said he no longer has access to the company's servers because they have been updated.

Motherboard reported that it verified the breach this week after receiving a sample of usernames and log-in credentials from the hacker. Moreover, the hacker said users of TheTruthSpy app kept the same passwords for other online accounts. “This data is very dangerous. You can know everything about any person, and also you know the attacker identity. It is very easy to ransomware them, and gain a lot of dirty money,” the hacker told Franceschi-Bicchierai.

— “Leading human rights groups are calling on Google to cancel its plan to launch a censored version of its search engine in China, which they said would violate the freedom of expression and privacy rights of millions of internet users in the country,” the Intercept's Ryan Gallagher reported. “A coalition of 14 organizations — including Amnesty International, Human Rights Watch, Reporters Without Borders, Access Now, the Committee to Protect Journalists, the Electronic Frontier Foundation, the Center for Democracy and Technology, PEN International, and Human Rights in China — issued the demand Tuesday in an open letter addressed to the internet giant’s CEO, Sundar Pichai.”